CVE-2023-28154 in Webpack
Summary
by MITRE • 03/13/2023
Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/06/2025
The vulnerability identified as CVE-2023-28154 affects Webpack 5 versions prior to 5.76.0 and stems from a cross-realm object access issue within the ImportParserPlugin.js module. This flaw specifically manifests when handling magic comment features, creating a potential pathway for attackers to gain unauthorized access to the real global object through manipulation of untrusted object properties. The vulnerability represents a significant security concern as it allows for privilege escalation and arbitrary code execution within the context of the webpack build process.
The technical implementation of this vulnerability exploits the way Webpack handles cross-realm object access during module parsing operations. When the ImportParserPlugin processes magic comments, it fails to properly sanitize or validate object properties that originate from untrusted sources. This creates a scenario where an attacker can manipulate object properties in a way that bypasses normal security boundaries, allowing access to the real global object that should remain isolated from user-controlled inputs. The flaw operates at the JavaScript engine level where realm boundaries are not properly enforced during object property access operations.
From an operational impact perspective, this vulnerability could enable attackers to execute malicious code during the webpack build process, potentially compromising the entire build environment. The attack vector typically involves an attacker who can influence the content of webpack configuration files or module dependencies, allowing them to inject malicious properties that trigger the cross-realm access pattern. This vulnerability affects developers who rely on webpack for their build processes and could lead to supply chain compromises if malicious actors target popular npm packages or build configurations.
The security implications extend beyond simple code execution, as this vulnerability can be leveraged to access sensitive build-time information, manipulate build artifacts, or even inject malicious code into the final compiled output. This aligns with CWE-215, which addresses information exposure through improper error handling, and can be categorized under ATT&CK technique T1059.006 for execution through scripting. The vulnerability also relates to CWE-787, out-of-bounds write conditions, as the improper handling of object properties can lead to memory corruption scenarios.
Organizations should immediately update their Webpack installations to version 5.76.0 or later to mitigate this vulnerability. Additionally, security teams should implement monitoring for unusual webpack build behaviors and review all webpack configuration files for potential injection points. The recommended mitigation strategy includes applying the official patch, implementing strict input validation for webpack configuration files, and conducting security reviews of npm dependencies that may be vulnerable to similar cross-realm access issues. Regular security assessments of build environments and supply chain components should be performed to prevent exploitation of similar vulnerabilities.